Month: September 2015

phpList is Open Source software for sending email newsletters, marketing campaigns and announcements: you can send to millions or just to a few hundred. For more information please see our features page.

phpList Ltd, the company behind phpList.com, are the primary developers of phpList. The phpList Ltd founder and CEO, Michiel Dethmers, has been the lead developer on the project since its inception in 2000, when it was designed for use by the Royal National Theatre.

Today, phpList has a large community of users, developers, documenters and translators. phpList Ltd has gone from strength to strength, offering comprehensive services from phpList.com, including expert deliverability, and supporting a the wider phpList community through investment in phpList.org.

The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL
statements. A PDO adapter can treat null bytes in a query as a string
terminator, allowing an attacker to add arbitrary SQL following a null byte, and
thus create a SQL injection.

We tested and verified the null byte injection using pdo_dblib (FreeTDS) on a
Linux environment to access a remote Microsoft SQL Server, and also tested
against and noted the vector against pdo_sqlite.

Action Taken

We added null byte filtering in the PDO abstract componentZend_Db_Adapter_Pdo_Abstract. We decided to use the abstract component to
prevent null byte injection in all the PDO adapters once we discovered the
situation was not specific to pdo_dblib.

We used the PHP’s addcslashes to sanitize and properly quote null bytes:

$value = addcslashes($value, "{$content}02");

The following releases contain the fixes:

Zend Framework 1.12.16

Recommendations

If you use one of the PDO-based adapters in Zend Framework 1, we recommend
upgrading to 1.12.16 immediately.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and
working with us to help protect its users:

Chris Kings-Lynne, who discovered and reported the issue against theZend_Db_Adapter_Pdo_Mssql component of ZF1;

Cortana isn’t supposed to exist for at least another 500 years, but that’s not stopping Microsoft from bringing her to life. While Apple has Siri and Google has Google Now — both digital assistants that run on smartphones — Microsoft is taking an approach that mixes the best of the competition with its own unique take. Based on a 26th-century artificially intelligent character in the Halo video game series, Cortana will be our personal assistant and help organize daily tasks.